malwarewikiaorg-20200223-history
Cryzip
Cryzip '''or '''ZippoCrypt is a ransomware that runs on Microsoft Windows. Cryzip uses a commercial zip library in order to store files inside a password-protected zip. Although the zip encryption is stronger, a brute-force attack is still possible on the files, especially if one has a copy of the original file inside the zip. According to Secureworks, Cryzip takes code from a Bagle variant from 2004. Payload When run, Cryzip searches the C: drive (except for files in directories named "system" or "system32") for files which it will zip, overwrite with the text "Erased by Zippo! GO OUT!!!", and then delete, leaving only the encrypted zip file with the name original-file-name_CRYPT_.ZIP, where original-file-name is the original file name complete with the file extension. Cryzip searches for and zips files with the following extensions: *.arh *.asm *.arj *.bas *.cdr *.cgi *.chm *.cpp *.db1 *.db2 *.dbf *.dbt *.dbx *.doc *.dpr *.dsw *.frm *.frt *.frx *.gtd *.gzip *.jpg *.key *.kwm *.lst *.man *.mdb *.mmf *.old *.p12 *.pas *.pak *.pdf *.pgp *.pwl *.pwm *.rar *.rtf *.safe *.tar *.txt *.xls *.xml *.zip After it has finished processing a directory, Cryzip leaves a text file in the directory named AUTO_ZIP_REPORT.TXT, which contains the following text: OUR E-GOLD ACCOUNT: XXXXXXXINSTRUCTIONS HOW TO GET YUOR FILES BACKREAD CAREFULLY. IF YOU DO NOT UNDERSTAND, READ AGAIN.This is automated report generated by auto archiving software.Your computer catched our software while browsing illigal pornpages, all your documents, text files, databases was archivedwith long enought password.You can not guess the password for your archived files - passwordlenght is more then 10 symbols that makes all password recoveryprograms fail to bruteforce it (guess password by trying allpossible combinations). Do not try to search for a program what encrypted your information - itis simply do not exists in your hard disk anymore.If you really care about documents and information in encrypted filesyou can pay using electonic currency $300.Reporting to police about a case will not help you, they do not knowpassword. Reporting somewhere about our e-gold account will not helpyou to restore files. This is your only way to get yours files back. ------------------------------How to pay to get your information back.1. click on this link to open your free e-gold account - the first screen is the e-gold "terms and conditions" page. You need to agree to these by clicking on the "I AGREE" button on the bottom on the page.2. On the next page is the sign up form: 1. "Account name" - here is where you name your account - tip: make it easy to remember (as you will be asked for it) and reasonably short, example, "John's e-gold", "My Money e-gold" or perhaps "Felix" (whatever you like, just make it easy for you to remember it). 2. "User Name" - here just repeat the account name (from 1 above). 3. "Point of Contact" - this is where you put our name, address, phone number and email address (any email address can be used here but it is recommended you use your ISP address - not a free hotmail, etc address). It is also recommended your also include a fax number (don't have a fax number? This company offers free fax to email services). Try and make it as easy as possible for e-gold to contactyou. 4. "Passphrase" - this is the most important piece of information connected to any e-gold account. We can not stress enough how important it is that your passphrase is kept safe and secure. 5. "Turing Number Entry" - type the 6 numbers you see there into theinput box below. 6. The last step click "Open"On the next page it will tell you that your e-gold account number has beenemailed to you.check your email - you can expect to wait up to 5 minutes for your accountnumberto arrive. If it does not arrive after 5 minutes then that means the emailaddressyou supplied was incorrect and you will have to open another new account (gothroughand repeat what you just did above again).To buy e-gold to your account please use official exchange services http://www.me-gold.com/http://www.goldex.net/http://usece.com/or try to search own way withhttp://gold-pages.net/e-Gold__1MDC__Pecunix_Wizard_ Links/Purchase_E-gold/index.htmlhttp://www.google.com/search?hl=en&q=buy+ e-gold&btnG=Google+SearchFINALLY when you bought e-gold you have to transfer $300 to our e-goldaccount.In next 24 hours you will recieve $1 back to your account. Transfer detailsof this $1 transfer will have a link to software that will automaticallyunzip all your files back to normal state.Next day login to your account https://www.e-gold.com/acct/ login.html,press History and press submit, you will see LINK TO UNZIP-software. ########################################################################## Remember you are just $300 away from your files ########################################################################## At the top of the AUTO_ZIP_REPORT.TXT file, the number of an E-Gold account is inserted. This number is picked at random from a list embedded in the DLL. By operating many accounts simultaneously, the trojan author is betting that even if E-Gold shuts down some of the accounts, he/she will still receive payment on some of the others. The text of the AUTO_ZIP_REPORT.TXT file is encrypted inside the Cryzip DLL, using simple XOR (0x13) encoding. The password used to zip the files is also embedded inside the DLL but it is not encrypted - instead, the author decided to hide the password in plain sight. The password is: *C:\Program Files\Microsoft Visual Studio\VC98 Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan